Security mindsets of very small businesses and residential clients
-
A residential client told me her password yesterday and I didn't know whether to laugh or cry. The password is a date with the month spelled out, AND she uses it for everything. So she got the speech about week passwords and how you shouldn't use the same one everywhere. She said it was too hard to change them and beside she would quit. Her husband spoke up and said I have too many to worry about, there is NO way I am going to change any of them.
Today, a business client needs a new email setup. I sent everything but the password via help desk and the password via secure email. I get back an email to send password via email. I forwarded the secure email again and tell her via support desk that I have sent it again. Her reply, I know, but I would rather have you send it email, because I have to set up an account to get it that way. That was 5 hours ago and I still have no idea how to reply without sounding like an ass.
ARRRGGG
-
UG... I know your pain.
-
Did you catch you own pun?
Her password is a spelled out month.
You called it a week password.
-
@Dashrender Residential clients I don't worry about so much.
-
Bottom line, give quick advice but don't spend your energy worrying about the lack if security if other people that are not your employees. Not your problem. Just let it go.
-
@scottalanmiller week...weak...wow, the damn spell check can't read my mind! Yeah I meant weak. And I wish I had been trying to be punny!
-
@scottalanmiller Good point. Now would you send the client their password in standard email because they didn't want it sent via secure email? It's my hosting server, I figure I am being security conscious by sending via secure email.
-
And now you know why I stopped supporting residential client long ago.
They a pain in the ### and they always complain about the bill.....
-
@technobabble said:
@scottalanmiller Good point. Now would you send the client their password in standard email because they didn't want it sent via secure email? It's my hosting server, I figure I am being security conscious by sending via secure email.
Absolutely. As long as they are the boss or the boss approved don't think twice, just do it. You tried to be secure and they explicitly don't want that. Time to deliver what they want.
-
@Aaron-Studer said:
And now you know why I stopped supporting residential client long ago.
They a pain in the ### and they always complain about the bill.....
Yeah. No money there.
-
I know the feeling. SMBs are much like the residential clients. They know it's bad for them, but still do it anyway. If it makes you feel any better, depending on the email platform you both use, the email may be encrypted in transit anyway.
Enterprise clients are generally better security-wise for the most part, though do have their own headaches to deal with.
-
@alexntg I am using Office 365.
-
@technobabble said:
@alexntg I am using Office 365.
That uses opportunistic TLS. If your receiving party does the same (or forces TLS) you'll be good to go for transmission encryption.
-
@alexntg said:
@technobabble said:
@alexntg I am using Office 365.
That uses opportunistic TLS. If your receiving party does the same (or forces TLS) you'll be good to go for transmission encryption.
I recently had this argument with the owner of our company. He always refused to send passwords in email. Even internally. I repeatedly stated how much time he was wasting on a non-issue. Internal email is never on the public internet unencrypted for gods sake. We had an SBS server and are now Office 365. Everything is encrypted to the devices.
-
Now I have to check my Zendesk ticketing system's encryption.
-
@JaredBusch said:
I repeatedly stated how much time he was wasting on a non-issue. Internal email is never on the public internet unencrypted for gods sake.
Depends on what the password is for, but other users may have been granted access to that user's e-mail. By using e-mail you may still be compromising security. It's about internal security as well as external security.
-
@Carnival-Boy you are taking security to the point of interfering with running a business IMO. IT is a business expense, but there is a balance to it just like any other business expense.
-
Possibly. I really don't know what best practice is and to be honest, I haven't thought about it all that much. E-mailing passwords just feels wrong to me.
I normally send them by SMS, which is possibly even less secure (but like I say, I haven't thought about it much until today).
-
@Carnival-Boy said:
Possibly. I really don't know what best practice is and to be honest, I haven't thought about it all that much. E-mailing passwords just feels wrong to me.
I normally send them by SMS, which is possibly even less secure (but like I say, I haven't thought about it much until today).
If you know how SMS works, your pants would be brown right about now.
-
Not sure. Google et al's two-factor verification is based on SMS, so how bad can it be? What's the worst that can happen?
